Recently active topics

Every time we update openshift in azure, my cribl config is lost. since we have the free version, we cannot use git repository. would using persistent storage helps keep the config because the update process drains the node from the cluster and restart them on another node. I suspect this is why the config is not kept.

You’ve got logs landing in S3 — maybe CloudTrail, maybe Snowflake, maybe Crowdstrike FDR as examples. The question that inevitably comes up is: “Should we use an S3 Collector or an Amazon S3 Source (via SQS) to get them into Cribl Stream?” It’s a great question, and like many things in the security and observability space, the answer depends on how you want to work with your data. Let’s break it down. What’s an S3 Collector Source? Think of the S3 Collector Source as a batch retrieval engine. It’s perfect when you need to reach back in time and grab a chunk of data from S3 — say, “get me three hours of logs from noon yesterday for host==abcd.” It doesn’t care about real-time ingestion or message queues. You tell it what timeframe and what filters you want, and it goes and gets them, either on demand or on a schedule. Ideal when you:Need to rehydrate historical logs (for example, for a retroactive investigation) Want to replay old data for validation, benchmarking, or pipeline testing W

Can i install Cribl Edge on my worker nodes without any production impact. `I want to use Cribl  Edge to monitor my Cribl Workers and certain files

We’ve rolled out updates across the entire Cribl Suite — here’s some hi-lights:Stream /   EdgeFresh unified Cloud home page New IAM Admin role for smoother org & SSO management Added Google Cloud Chronicle destination SearchSmarter, more flexible Notebooks New activity graphs to track workspace usageLakeAdded activity graphs + IAM Admin role Performance and UI polish throughoutYou can check out all the changes in the release notes: Search, Stream, Edge, LakeIf you are using Cribl.Cloud, you have already been upgraded to the latest version. You just need to click "deploy" in your cloud instance.On-prem customers can get the update at this link. (

cisco_asa_cleanup pack is not working for me, now sure how to make it work , need help in utilizing it, sample logsOct 1 03:23:58 asa_server_ip %ASA-6-302014: Teardown TCP connection 39876417 for VTI-Murex-abc:xx.xx.xx.xx/443 to inside:xx.xx.xx.xx/44714 duration 0:00:00 bytes 9514 TCP FINs from inside 0 0Oct 2 06:51:58 asa_server_ip %ASA-6-302013: Built inbound TCP connection 39876427 for VTI-Murex-abc:xx.xx.xx.xx/34664 (x.x.x.x/34664) to inside:xx.xx.xx.xx/443 (x.x.x.x/443) -1 -1Oct 3 04:54:58 xx.xx.xx.xx %ASA-6-302013: Built outbound TCP connection 39876426 for VTI-Murex-abc:x.x.x.x/443 (xx.xx.xx.xx443) to inside:x.x.x.x./14326 (xx.xxx.xx.xx/14326) 1 5Oct 5 01:54:58 xx.xx.xx.xx %ASA-6-302020: Built inbound ICMP connection for faddr xx.xx.xx.xx/54615 gaddr x.x.x.x/0 laddr x.xx.x.xx/0 type 8 code 0 Internal-Data0/-1:RX[-1]Oct 15 07:54:58 xx.xx.xx.xx%ASA-6-106015: Deny TCP (no connection) from x.x.x.x/38492 to xxx.xx.xx.x/6425 flags ACK  on interface VTI-Murex-abc  

Hi all i am trying to upload few packs into stream leader using files but getting below sample error Error while installing Pack file cribl-cisco-asa-cleanup-1.1.15 (1).crbl in Group: Dev-OP: failed to install: ENOENT: no such file or directory, open '/opt/cribl/state/packs/cribl-cisco-asa-cleanup.LtY1yaM.tmp/data/lookups/asa_drops.csv'. what does this error suggest we have already uploaded few which got uploaded. 

​Hi Team,I’m working on an SNMP trap pipeline where:Input event has fields like trap_name and trap_varbind_apSysMgmtTaskSuspend.I have a Lookup table that maps:trap_name → varbindname → Output_attribute_value.After Lookup, I want to create a new field dynamically:Field name = value of Output_attribute_value (e.g., id)Field value = value from the field referenced by varbindname (e.g., trap_varbind_apSysMgmtTaskSuspend).I tried using Eval with:JavaScript[Output_attribute_value] = get(__payload, varbindname)Show more lines…but got Unallowed assignment operator error.Then I tried a Code function: JavaScriptconst targetField = event.Output_attribute_value;const sourceField = event.varbindname; if (targetField && sourceField && event[sourceField]) {event[targetField] = event[sourceField];}Show more linesBut the new field (id) still doesn’t appear in the final JSON.Questions:Is Code function the right approach for dynamic field names?How can I verify Lookup values before Code

Is there a way of directly integrating netskope with cribl using rest api’s without using s3 Buckets for transactional logs

Hi all, I just completed the Level 3 Prerequisite exam but I have a question.One of the questions was as follows:What would be the result of the Mask function with the following settings Match Regex =`(user_id=) (d+)" Replace Expression = C. Mask. random( ${g2}') on the event host=server. local user_id=12345?A)host=server. local aeQI9B) host=server. local user_id=fe8780bd8237b0388df7175034db75d6C) host=server. local user_id=aeQI9D) The event would remain unchanged because the Match Regex is invalid.I chose option D. But apparently this was the wrong answer. But I think it shouldn't be… Here is why.The event host=server.local user_id=12345….(user_id=) (d+) matches “user_ID=”(d+) is incorrect, d is just a literal d and not a digit in this case, it should have been \d+. There is also a space in the regex, but the event itself does not have a space. “user_id=12345”This is why the event would remain unchanged because the match regex is invalid. If I am wrong, please explain to me where I am

We would like to stream data into RDBMS, but we don’t see the option rdbms destination. How can this be achieved?

Previews of our new Terraform provider and SDKs are ready for you to explore!Check out the details on the Cribl as Code page.Kick the tires and tell us what you think!

HI all  I am trying to create a pipeline where all syslog data will land and i want to filter the events from device i want based on a string in _raw filed like firewall or any other unique string.i have tried _raw.includes(‘Firewall’) or /Firewall/ though when i  check in advanced mode in filter tab it matches the correct event but when i am checking it on a sample log i have built for testing it passes all the events regardless of filter.I know this can be done in routes itself but still would prefer if i could build a pipeline and more function inside it for each sources.